[prev in list] [next in list] [prev in thread] [next in thread]
List: eros-arch
Subject: Re: [EROS-Arch] Installers
From: Norman Hardy <norm () cap-lore ! com>
Date: 2001-04-12 5:26:57
[Download RAW message or body]
At 8:10 AM -0500 3/29/01, Jonathan S. Shapiro wrote:
>Joerg Bornschein wrote:
...
>I think we are mostly in complete agreement, except about this last
>part. It is desirable to have a registry of what was given to whom, so
>the shell probably isn't the best tool to use here. A seperate
>installation shell is probably worthwhile.
>_______________________________________________
I realize that it is poor form to re-raise a thread that most were
probably glad to see disappear almost two weeks ago but it has been
percolating in my head since then.
I need a minder to help me remember to whom and to what I have
disseminated capabilities. I think there is general agreement on that.
Regarding the issue of fixed-trusted-installer, vs. Turing complete
installer, note that security comes from the capabilities accessible
to the installer, not the nature of the algorithm. This point was
indeed made several times in different forms.
Occams razor may be lurking behind both sides of this discussion.
Turing complete seems more complex than declarative installation
scripts but only if you contemplate a new installation language.
Here is a bare bones proposal. An EROS application, ready to be
installed, is distributed in the form of an array of bytes which is
copied by the installation service into an EROS segment. The service
then creates a domain (process) with capabilities described below.
Part of the address space of the domain is the segment. The segment
contains any machine code to perform installation initialization.
The initial capabilities of this installations domain are:
--a directory of standard immutable services, (factories etc.),
--perhaps another directory of non-standard services (a vexing issue)
--a space bank,
--a meter (if Keykos),
--A node capability to the top of the memory tree of the domain so
that the installation code can manipulate it memory during
installation. (This node already holds the segment capability.)
--a resume capability via which to return the yield of the
installation (most likely a factory requestor's key).
--Perhaps a capability thru which to plead--negotiate for unusual
authority from the person.
The installation yield would get brownie points if it refrained from
accessing some of the directory content. Note that directory fetches
can be monitored and the directory rescinded upon completion of the
installation. This fetch information can feeds a partial order that
knows what depends on what.
The initial capabilities would be mostly per installation. Invoking
the bank of an installation would suffice to undo the installation,
harming only the users of the yield.
This is mostly in line with the ideas at
<http://cap-lore.com/CapTheory/Personal.html>.
--
Norman Hardy <http://cap-lore.com/>
_______________________________________________
eros-arch mailing list
eros-arch@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/eros-arch
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic